The prpl Foundation has teamed up with the Continental Automated Buildings Association (CABA) on together on research projects to improve standards in smart home security.

The Foundation is an open-source, community-driven, collaborative group with a focus on enabling next-generation datacentre-to-device portable software and virtualized architectures, based around the MIPS architecture.

“prpl’s alliance with CABA is an incredibly important step in the advancement of smart home technology,” said Art Swift, president of the prpl Foundation. “By collaborating with CABA’s wealth of smart home security experts and members, we will work together to provide high quality research and guidance that will push IoT industry standards to make sure that consumers are kept safe as connected device usage in their homes grows.”

Prpl’s recent Smart Home Security Report found that the smart home is already here(see graphic above) and device adoption in certain cases has reached a tipping point despite it being insecure. By aligning itself with CABA, an organization that is supported by an international membership of nearly 350 companies and 25,000+ industry professionals, the two organizations will progress security developments within smart home technologies.

“We are delighted to enter this alliance with the prpl Foundation as a demonstration of our commitment to developing industry standards and protocols across industry initiatives,” said Ron Zimmer, president and CEO of CABA. “We look forward to participating in prpl’s vibrant, open-source communities, in particular the security working group, and collaborating on future smart home projects.”

The prpl Foundation promotes the use of open source software to better security and interoperability of the Internet of Things (IoT). It has created a comprehensive framework for Securing Critical Areas of Embedded Computing, a peer-reviewed, actionable guide that has been put in to practice with a successful proof of concept.

“IoT security is not a problem that is going to be fixed by one single entity, it will take the industry at large to get involved to create communities and advance our knowledge of the subject matter,” said Swift. “Prpl is pleased to be working with CABA and welcomes the opportunity to work with others to promote better standards for IoT and making the connected world more secure for consumers.”

Tuesday, November 22, 2016

Researchers in the US have developed a new program that tries to preempt cyber attacks by allowing programs to continuously scramble their code as they run, effectively closing the window of opportunity for an attack.

"Shuffler makes it nearly impossible to turn a bug into a functioning attack, defending software developers from their mistakes," said David Williams-King, a graduate student at Columbia Engineering. "Attackers are unable to figure out the program's layout if the code keeps changing."

Even after repeated debugging, software typically contains up to 50 errors per 1,000 lines of code, each a potential avenue for attack. Though security defenses are constantly evolving, attackers are quick to find new ways in.

In the early 2000s, computer operating systems adopted a security feature called address space layout randomization, or ASLR. This technique rearranges memory when a program launches, making it harder for hackers to find and reuse existing code to take over the machine. But hackers soon discovered they could exploit memory disclosure bugs to grab code fragments once the program was already running.

Shuffler was developed to deflect this latter style of code-reuse attack. It takes ASLR's code-scrambling approach to the extreme by randomizing small blocks of code every 20 to 50 milliseconds, imposing a severe deadline on would-be attackers. Until now, shifting around running code as a security measure was thought to be technically impractical because existing solutions require specialized hardware or software.

"By the time the server returns the information the attacker needs, it is already invalid --Shuffler has already relocated the respective code snippets to different memory locations," said study coauthor Vasileios Kemerlis, a computer science professor at Brown University.

Designed to be user-friendly, Shuffler runs alongside the code it defends, without modifications to program compilers or the computer's operating system. It even randomizes itself to defend against possible bugs in its own code.

The researchers say Shuffler runs faster and requires fewer system changes than similar continuous-randomization software such TASR and Remix, developed at MIT Lincoln Labs and Florida State University respectively.

As an invitation to other researchers to try and break Shuffler, Williams-King is currently running the software on his personal website. (He can check that the code is shuffling and whether anyone has attacked the site by reviewing the program's logs).

On computation-heavy workloads, Shuffler slows programs by 15 percent on average, but at larger scales--a webserver running on 12 CPU cores, for example--the drop in performance is negligible, the researchers say.

This versatility means that software distributors as well as security-conscious individuals could be potential end users. "It's the first system that is trying to be a serious defense that people can use, right now," said Williams-King.

Shuffler needs a few last improvements before it is made public. The researchers say they want to make it easier to use on software they haven't yet tested. They also want to improve Shuffler's ability to defend against exploits that take advantage of server-crashes.

"Billions of lines of vulnerable code are out there," said the study's senior author, Junfeng Yang, a computer science professor at Columbia Engineering and member of the Data Science Institute. "Rather than finding every bug or rewriting all billions of lines of code in safer languages, Shuffler instantly lets us build a stronger defense."

ON Semiconductor has launched a modular IoT Development Kit (IDK) that provides engineers with all of the hardware and software building blocks needed to speed the evaluation, design and implementation of medical, home, and industrial IoT applications.

The kit combines power-efficient devices for smart and connected IoT designs that includes sensors, power management, connectivity, processors and actuators. By combining these with a comprehensive software framework, the IDK offers a modular, easy to use and compact platform that provides developers with access to everything they need to rapidly develop cloud-based IoT designs.

The ON Semiconductor IDK incorporates a variety of module options for sensing, wired and wireless connectivity and actuation. Its software development framework encompasses an embedded operating system (ARM mbed OS), drivers, APIs for hardware shields, a graphical user interface (GUI), and sample applications code. Built-in support for cloud software enables the platform to deliver data into the cloud for value added services such as analytics. The extensible modular architecture includes a variety of industry-standard interfaces such as Arduino and Pmod, allowing the integration of existing and future modules from both ON Semiconductor and third parties.

“ON Semiconductor offers a one stop shop of leadership semiconductor elements for industrial, medical and home IoT applications. By providing a single, modular, extensible platform that combines hardware, software and support for integrating third parties, the new IDK allows engineers to quickly and easily harness the power of ON Semiconductor solutions and significantly simplify the prototyping of cloud-based applications,” said Wiren Perera, IoT Strategist for ON Semiconductor.

The IDK is capable of supporting numerous application areas, including industrial automation, intelligent lighting, building automation, smart cities and a wide range of medical monitoring designs.

The IoT Development Kit will be available through distribution partners.

PLATINUM SPONSOR

Flaherty Publishing

By looking across all the different technologies and markets in the embedded space, this blog pulls together trends and opportunities through exclusive news, video and comment that you might not have seen from sites dedicated to individual topic areas. The labels below allow you to select your own interest areas, and please look through the archive.